GDPR—Meeting the 72-hour breach notification period

Beyond the Earth-Moon system, thousands of asteroids known as Near-Earth Objects (NEOs) are known to exist. These rocks periodically cross Earth’s orbit and make a close flyby of Earth. Over the course of millions of years, some even collide with the Earth, causing mass extinctions. Little wonder then why NASA’s Center for Near Earth Object Studies (CNEOS) is dedicated to monitoring the larger objects that occasionally come close to our planet.

If you study astronomy, you’re likely familiar with the concept of NEOs, which are objects that could strike the earth and potentially cause an extinction event. For MSPs, data breaches can have the same effect on their businesses as NEOs can have on the Earth. The General Data Protection Regulation (GDPR) requirement to investigate and report data breaches within a 72-hour window can make data breaches feel just as threatening in terms of potential damages.

The GDPR text can feel vague when it comes to the data breach notification portion. However, what we can say with some certainty is that, at some point, you will likely have a customer who asks you to help them meet the data breach response requirements of GDPR. They might not even approach you—you could be the one to discover the potential breach. As a result, it’s important to know the facts about data breaches to be prepared. 

Statistics and Key Facts on Data Breach Reporting

According to article 33 of GDPR, the information required under GDPR for reporting a data breach includes:

• The nature of the breach 
• The name/contact details of the organization’s data protection officer
• The likely consequences of the breach
• The measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects  

This means you’ll need to determine these as best you can after discovering a breach—and report to the authorities within the 72-hour window if required. 

Concerned about the 72-hour deadline? Well, here are two statistics that are even more worrisome:

• It takes an average of 191 days to identify a data breach 
• Fewer than 19% of data breaches are self-detected 

Fortunately, the 72-hour reporting window starts from the moment the organization becomes aware of the breach. However, it’s pretty difficult to investigate a data breach that took place weeks or months earlier—remember that 191 days is the average time it takes to identify a breach. So, from an incident response perspective, the sooner the potential breach is detected, the better.

Those statistics paint a pretty bleak picture of the current state of data breach detection, investigation, and response. Once in effect, the GDPR will require MSPs to investigate and respond to all data breaches—and this could be made more difficult if they don’t move the detection needle from 191 days to closer to three.  To have a fighting chance of meeting this challenge, preparation, tools, and “a plan” is required. 

In terms of preparation, please see the GDPR Quick Win Strategy Guide blog post series (post 1, post 2, post 3, and post 4). These strategies could perhaps aid you in preventing customer data breaches altogether, but the top strategy for MSPs should be to fundamentally reduce the potential risk of a customer data breach in the first place.

Understanding Threats

Despite your best efforts, a security incident can happen to a customer in an instant through a simple social engineering attack, misconfiguration, or undetected malware. Even a ransomware attack could fall into the category of a data breach, as GDPR defines it as, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, transmitted, stored or otherwise processed.” Ransomware could fall under the “loss of data” category here. 

Fortunately, ransomware attacks are pretty blatant and are becoming easier to fix, as backup tools, best practices, and security technology have increasingly focused on this threat. For the vast majority of MSPs, ransomware attacks are likely to be the only security incident they’ll face. The latest numbers suggest 91% of cyberattacks and the resulting data breaches begin with a phishing email attack, and of those attacks, 93% of them are ransomware payloads.^,

For almost every other security incident, you will likely need to examine the type of data breach and what type of contact there may have been from the cybercriminals. This may include determining the nature of the data breach or identifying what data was stolen, tampered with, or permanently destroyed. You may also need to determine if the cybercriminals contacted your customer or their customers. If so, then you may be dealing with a law enforcement matter, as it’s possible that an extortion or blackmail attempt may be made against your customer.

Types of Security Incidents

A security failure leading to a data breach (other than ransomware, which is pretty obviously a data availability issue) can generally be assigned into one of three categories: 

• Unauthorized disclosure of data subject’s personal information 
• Tampering with or altering of a data subject’s personal data by an unauthorized party
• Denial of access to a data subject’s personal data

Thus, if “Bothan” cybercriminals steal the plans to your company’s “Death Star,” and the Imperial personnel records or Imperial customer’s records were not included or impacted in any way, the good news is,  GDPR may not be relevant, even if those “Death Star” plans were your firm’s life’s work. 

If you find data subjects’ personal data was potentially impacted by the data breach, you will need to determine the level of harm and consequences of the breach. SolarWinds MSP’s GDPR guidebook can help point you in the right direction on understanding the severity of the situation and the potential impact of the stolen data.

After that, it’s time to help your customer determine what course of action to take. You may need to make changes to process, procedures, and technology, and you may need to contact the customers who have been impacted if required. Once it’s known that personal data was involved, it’s best to be extra meticulous in documentation and action. Your area’s Supervisory Authority may need to be notified of the breach—so you’ll want to have documentation of all your good- faith efforts. 

What to Expect During a Data Breach Incident

As an MSP—and possibly first responder to a data breach situation—all the work you have done will come under scrutiny. But if you stand by your customer by documenting and performing your due diligence, the 72-hour breach notification will be unlikely to cause an extinction event for your customer. 

 

Sources:

1. “Astronomers Practice Responding to a Killer Asteroid,” Universe Today. https://www.universetoday.com/137789/astronomers-practice-responding-killer-asteroid/ (accessed November 2017).

2. “Data Breach Notification Under the GDPR: Issues to Consider,” Browne Jacobson LLP. https://www.brownejacobson.com/training-and-resources/resources/legal-updates/2016/03/data-breach-notification-under-the-gdpr-issues-to-consider (accessed November 2017).

3. “Art. 33 GDPR: Notification of a Personal Data Breach to the Supervisory Authority,” Intersoft Consulting. https://gdpr-info.eu/art-33-gdpr/ (accessed November 2017).

4. “2016 Ponemon Institute Cost of Data Breach Study,” IBM and Ponemon Institute. https://www.ibm.com/security/data-breach/index.html (accessed November 2017).

5. “The Data Breach Detention Gap and Strategies to Close It,” Infocyte. https://www.infocyte.com/breach-detection-gap-conf (accessed November 2017).

6. “Article 4: EU GDPR Definitions,” SecureDataService. https://www.privacy-regulation.eu/en/4.htm (accessed November 2017).

7. “Enterprise Phishing Susceptibility and Resliency Report,” PhishMe. https://phishme.com/enterprise-phishing-susceptibility-report (accessed November 2017).

8. “2016 Q1 Malware Report,” PhishMe. https://phishme.com/project/phishme-q1-2016-malware-review/ (accessed November 2017).

 

This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information. 

 

© 2018 SolarWinds MSP UK Ltd. All Rights Reserved.